Correct vulnerability when setting pending intents on import/export notifications by setting FLAG_IMMUTABLE

For cases where we were setting an empty content intent, setContentIntent has not been required since Gingerbread

Bug: 161718556
Test: build
Change-Id: I1f62fdc077401fea2c48a31527464464f08a6b64
(cherry picked from commit 1d595f80e9c5157f8ca0285b572c9f1463e05c58)
diff --git a/src/com/android/contacts/vcard/ExportProcessor.java b/src/com/android/contacts/vcard/ExportProcessor.java
index 13d80ca..66308c6 100644
--- a/src/com/android/contacts/vcard/ExportProcessor.java
+++ b/src/com/android/contacts/vcard/ExportProcessor.java
@@ -304,11 +304,12 @@
         intent.setType(Contacts.CONTENT_VCARD_TYPE);
         intent.putExtra(Intent.EXTRA_STREAM, uri);
         // Securely grant access using temporary access permissions
-        intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+        // Use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files.
+        intent.setFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_ACTIVITY_NEW_TASK);
         // Build notification
         final Notification notification =
-                NotificationImportExportListener.constructFinishNotificationWithFlags(
-                        mService, title, description, intent, Intent.FLAG_ACTIVITY_NEW_TASK);
+                NotificationImportExportListener.constructFinishNotification(
+                        mService, title, description, intent);
         mNotificationManager.notify(NotificationImportExportListener.DEFAULT_NOTIFICATION_TAG,
                 mJobId, notification);
     }
diff --git a/src/com/android/contacts/vcard/NotificationImportExportListener.java b/src/com/android/contacts/vcard/NotificationImportExportListener.java
index beabe26..8d53468 100644
--- a/src/com/android/contacts/vcard/NotificationImportExportListener.java
+++ b/src/com/android/contacts/vcard/NotificationImportExportListener.java
@@ -16,6 +16,8 @@
 
 package com.android.contacts.vcard;
 
+import static android.app.PendingIntent.FLAG_IMMUTABLE;
+
 import android.app.Activity;
 import android.app.Notification;
 import android.app.NotificationManager;
@@ -229,7 +231,7 @@
                 .setSmallIcon(type == VCardService.TYPE_IMPORT
                         ? android.R.drawable.stat_sys_download
                         : android.R.drawable.stat_sys_upload)
-                .setContentIntent(PendingIntent.getActivity(context, 0, intent, 0));
+                .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE));
         if (totalCount > 0) {
             String percentage =
                     NumberFormat.getPercentInstance().format((double) currentCount / totalCount);
@@ -254,10 +256,6 @@
                 .setColor(context.getResources().getColor(R.color.dialtacts_theme_color))
                 .setContentTitle(description)
                 .setContentText(description)
-                // Launch an intent that won't resolve to anything. Restrict the intent to this
-                // app to make sure that no other app can steal this pending-intent b/19296918.
-                .setContentIntent(PendingIntent
-                        .getActivity(context, 0, new Intent(context.getPackageName(), null), 0))
                 .build();
     }
 
@@ -270,29 +268,16 @@
      */
     /* package */ static Notification constructFinishNotification(
             Context context, String title, String description, Intent intent) {
-        return constructFinishNotificationWithFlags(context, title, description, intent, 0);
-    }
-
-    /**
-     * @param flags use FLAG_ACTIVITY_NEW_TASK to set it as new task, to get rid of cached files.
-     */
-    /* package */ static Notification constructFinishNotificationWithFlags(
-            Context context, String title, String description, Intent intent, int flags) {
         ContactsNotificationChannelsUtil.createDefaultChannel(context);
         return new NotificationCompat.Builder(context,
-                ContactsNotificationChannelsUtil.DEFAULT_CHANNEL)
-                .setAutoCancel(true)
-                .setColor(context.getResources().getColor(R.color.dialtacts_theme_color))
-                .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24)
-                .setContentTitle(title)
-                .setContentText(description)
-                // If no intent provided, include an intent that won't resolve to anything.
-                // Restrict the intent to this app to make sure that no other app can steal this
-                // pending-intent b/19296918.
-                .setContentIntent(PendingIntent.getActivity(context, 0,
-                        (intent != null ? intent : new Intent(context.getPackageName(), null)),
-                        flags))
-                .build();
+            ContactsNotificationChannelsUtil.DEFAULT_CHANNEL)
+            .setAutoCancel(true)
+            .setColor(context.getResources().getColor(R.color.dialtacts_theme_color))
+            .setSmallIcon(R.drawable.quantum_ic_done_vd_theme_24)
+            .setContentTitle(title)
+            .setContentText(description)
+            .setContentIntent(PendingIntent.getActivity(context, 0, intent, FLAG_IMMUTABLE))
+            .build();
     }
 
     /**
@@ -311,10 +296,6 @@
                 .setSmallIcon(android.R.drawable.stat_notify_error)
                 .setContentTitle(context.getString(R.string.vcard_import_failed))
                 .setContentText(reason)
-                // Launch an intent that won't resolve to anything. Restrict the intent to this
-                // app to make sure that no other app can steal this pending-intent b/19296918.
-                .setContentIntent(PendingIntent
-                        .getActivity(context, 0, new Intent(context.getPackageName(), null), 0))
                 .build();
     }
 }